Certified Information Security Manager (CISM) — Question 285

Which of the following is MOST important to ensure when considering exceptions to an information security policy?

Answer options

• A. Exceptions are approved by executive management.
• B. Exceptions undergo regular review.
• C. Exceptions reflect the organizational risk appetite.
• D. Exceptions are based on data classification.

Correct answer: C

Explanation

The correct answer is C because exceptions to an information security policy should always align with the organization's risk appetite to ensure that they do not expose the organization to unacceptable risks. While approval from management (A), regular reviews (B), and data classification considerations (D) are important, they are secondary to ensuring that the exceptions are within the organization's defined risk tolerance.